{"id":29782053,"url":"https://github.com/jupiterone/sbom-integration","last_synced_at":"2025-07-27T14:11:39.169Z","repository":{"id":294964471,"uuid":"988642998","full_name":"JupiterOne/sbom-integration","owner":"JupiterOne","description":null,"archived":false,"fork":false,"pushed_at":"2025-05-22T22:13:40.000Z","size":11,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-22T22:59:44.187Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JupiterOne.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-22T21:21:21.000Z","updated_at":"2025-05-22T22:13:42.000Z","dependencies_parsed_at":"2025-05-22T23:09:59.915Z","dependency_job_id":null,"html_url":"https://github.com/JupiterOne/sbom-integration","commit_stats":null,"previous_names":["jupiterone/sbom-integration"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/JupiterOne/sbom-integration","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JupiterOne%2Fsbom-integration","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JupiterOne%2Fsbom-integration/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JupiterOne%2Fsbom-integration/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JupiterOne%2Fsbom-integration/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JupiterOne","download_url":"https://codeload.github.com/JupiterOne/sbom-integration/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JupiterOne%2Fsbom-integration/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267368932,"owners_count":24076093,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-27T02:00:11.917Z","response_time":82,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-07-27T14:11:29.422Z","updated_at":"2025-07-27T14:11:39.156Z","avatar_url":"https://github.com/JupiterOne.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# JupiterOne SBOM Ingestion Tool\n\nThis tool processes CycloneDX Software Bill of Materials (SBOM) files and uploads the data to JupiterOne. It can be used to track dependencies and their relationships in your JupiterOne graph.\n\n## Prerequisites\n\n- Python 3.6+\n- [cdxgen](https://github.com/CycloneDX/cdxgen) for SBOM generation (optional)\n- JupiterOne account and API credentials\n- JupiterOne integration instance ID (if uploading)\n\n## Installation\n\n1. Clone this repository:\n```bash\ngit clone \u003crepository-url\u003e\ncd \u003crepository-directory\u003e\n```\n\n2. Create and activate a virtual environment (optional but recommended):\n```bash\npython -m venv .venv\nsource .venv/bin/activate  # On Windows, use: .venv\\Scripts\\activate\n```\n\n3. Install dependencies:\n```bash\npip install -r requirements.txt\n```\n\n## SBOM Generation\n\nBefore using this tool, you need a CycloneDX SBOM file. You can generate one using cdxgen:\n\n1. Install cdxgen:\n```bash\nnpm install -g @cyclonedx/cdxgen\n```\n\n2. Generate SBOM:\n```bash\ncdxgen [REPO_TO_BUILD_SBOM_FOR] -o sbom.json\n```\n\n## Configuration\n\nThere are three ways to provide configuration (in order of precedence):\n\n1. Command line arguments (highest priority)\n2. Environment variables\n3. .env file (lowest priority)\n\n### Using a .env File\n\nCreate a `.env` file based on the provided `.env.example`:\n\n```bash\ncp .env.example .env\n```\n\nEdit the `.env` file with your JupiterOne credentials and configuration:\n\n```ini\n# JupiterOne Credentials\nJUPITERONE_ACCOUNT_ID=your_account_id\nJUPITERONE_API_KEY=your_api_key\n\n# JupiterOne Configuration\nJUPITERONE_REGION=us\nJUPITERONE_INTEGRATION_INSTANCE_ID=your_integration_instance_id\nJUPITERONE_TARGET_ENTITY_KEY=your_target_entity_key\nJUPITERONE_TARGET_ENTITY_SCOPE=your_target_entity_scope\n\n# Optional: Set logging level (DEBUG, INFO, WARNING, ERROR)\nLOG_LEVEL=INFO\n```\n\n## Usage\n\n### Process SBOM Only (No Upload)\n\n```bash\npython j1_sbom_ingest.py sbom.json output.json\n```\n\n### Process and Upload to JupiterOne\n\nUsing command line arguments:\n```bash\npython j1_sbom_ingest.py sbom.json output.json --upload \\\n  --account-id YOUR_ACCOUNT_ID \\\n  --api-key YOUR_API_KEY \\\n  --integration-instance-id YOUR_INSTANCE_ID\n```\n\nUsing environment variables or .env file:\n```bash\npython j1_sbom_ingest.py sbom.json output.json --upload\n```\n\n### Command Line Arguments\n\n- `sbom_file`: Path to input SBOM file (required)\n- `output_file`: Path to output JSON file (required)\n- `--upload`: Flag to upload data to JupiterOne\n- `--log-level`: Logging level (default: INFO)\n- `--account-id`: JupiterOne account ID\n- `--api-key`: JupiterOne API key\n- `--region`: JupiterOne region (default: us)\n- `--integration-instance-id`: JupiterOne integration instance ID\n- `--target-entity-key`: Target entity key for relationships\n- `--target-entity-scope`: Target entity scope for relationships\n\n## Environment Variables\n\nInstead of command line arguments, you can use environment variables or a .env file:\n\n- `JUPITERONE_ACCOUNT_ID`: Your JupiterOne account ID\n- `JUPITERONE_API_KEY`: Your JupiterOne API key\n- `JUPITERONE_REGION`: JupiterOne region (default: us)\n- `JUPITERONE_INTEGRATION_INSTANCE_ID`: Integration instance ID\n- `JUPITERONE_TARGET_ENTITY_KEY`: Target entity key for relationships\n- `JUPITERONE_TARGET_ENTITY_SCOPE`: Target entity scope for relationships\n- `LOG_LEVEL`: Logging level (default: INFO)\n\n## Output\n\nThe tool generates a JSON file containing:\n- Entities representing code modules from the SBOM\n- Relationships between code modules\n- Relationships to a target entity (if specified)\n\n### Entity Properties\n- `_type`: Derived from package type (e.g., npm_library)\n- `_class`: Always \"CodeModule\"\n- `_key`: Derived from package URL (purl) without version\n- Other properties include: description, author, name, licenseType, etc.\n\n### Relationship Properties\n- `_type`: \"codemodule_contains_codemodule\" or \"coderepo_contains_codemodule\"\n- `_class`: \"CONTAINS\"\n- `version`: Version of the dependency\n- `_key`: Unique identifier for the relationship\n\n## Error Handling\n\n- The script will exit with code 1 if any errors occur\n- Error messages are logged to stderr\n- Use `--log-level DEBUG` for more detailed logging\n- Authentication errors will only occur when using the upload feature\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjupiterone%2Fsbom-integration","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjupiterone%2Fsbom-integration","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjupiterone%2Fsbom-integration/lists"}